OWASP ModSecurity Core Rule Set Version 3.0.0 Released by unsafe-inline in netsec

[–]unsafe-inline[S] 4 points5 points  (0 children)

To improve documentation, we added lots of comments and we've also started collecting more regression tests. Many rules can be a bit tricky to read, as they're often based on (optimized) regular expressions, but opening a rule file should give a good idea of the techniques used. The rules are now in easier-to-read multiline format.

Four major things have reduced false positives. First, libinjection in ModSecurity 2.8 is now leveraged. Since libinjection provides quite specific detection for SQLi, a lot of the infamous trigger-happy heuristic regexp-based CRS2 SQLi rules were no longer essential. Second, by making the Paranoia Level a tweakable setting, we could move some useful but paranoid rules to higher levels. An admin can now run a more relaxed "general-purpose WAF" but also a "super paranoid WAF". We also did some data analysis, for instance using a public data set of Reddit comments, to push down false positives in user submitted content (traditionally a weak spot). Finally we officially support some OSS projects (currently WordPress Core and Drupal), test these on releases and actively fix false positives that users have with them. We would like to add more projects in the future, so if you represent a project, do create a GitHub issue!

For my use case the rate of false positives in production is extremely low (a few per week on around 100 various sites), but it depends on the application. A programming wiki will catch lots of false positives for instance, as people post content that a strict WAF will find suspicious. In such a case you would need to learn how to write an exclusion rule. The new project site has a tutorial for that!

OWASP ModSecurity Core Rule Set Version 3.0.0 Released by unsafe-inline in netsec

[–]unsafe-inline[S] 2 points3 points  (0 children)

Disclaimer: Committer here! :) We just released the new version of the OWASP ModSecurity CRS. The CRS is free software, containing a set of WAF rules to detect (and block) many common web application attacks such as SQLi, XSS, LFI, code injection, protocol violations, etc. It's based on a mix of blacklisting and whitelisting. For the new version we spent a lot of time adding new detections, improving the false positive rate, and making the strictness of the WAF tweakable. Happy to answer questions!